While there are some docs on the net about securing IRIX and configuring ipfilters, I'd go with OpenBSD for a firewall -- clear track record, excellent documentation, secure "by default", and so on. I'm not saying that it's impossible to use IRIX as a firewall system, just that it will take a lot more effort and knowledge to secure it and to keep it secure.

Especially considering that with IP24 you're limited to IRIX 6.5.22 and down, and no new security patches are being built for those releases (patches are only verified on current release c, c-1, c-2, c-3).

Another good reason is that you are experienced building firewalls in xBSD. You could have some problems if you're learning on something that security-critical . Not will, just could, and there's no reason to risk it. Have some fun with the Indy instead.

Thanks for the tips! i've just realised also that i only have one network interface in the indy so it's not really an option. Well, back to try to make it display full screen mpeg video then... eventualy... damn procrastination!

Security by obscurity OpenBSD + SGI hardware for firewall is kick ass combination but SUN hardware is also a good choice as Risk architecture are less prone to buffer overflows(not that any is know for OpenBSD but still).I would try to avoid i386 hardware for firewall just because every idiot now is playing with it hardware. On the another hand if you want to save money on your electric bill fanless MiniITX mother boards are great way to go. They run i386 however.

The new x86s have execute disable, and with a well-built firewall there won't be many holes to get into anyway. Indeed, a case could be made favoring a big arch (x86, SPARC, probably AXP), as more people will be looking for the little issues and fixing them, and while very few issues will be platform-dependant, you know the x86 ones will be found and fixed. Just keep on top of things and you'll be fine.

The big downside with many workstations as firewalls (especially old workstations) is finding the second network interface. Indigo/Indy really looses out there. Sbus is pretty common, but it's hard to argue with a well-built PCI PC (emphasis on well-built, junk H/W will make your life miserable with problems).

Mostly, it's that most buffer-overflow-based shellcode exploits use x86 opcodes in their trickery, this will just explosively segfault on a MIPS or other non-x86. I once built a webserver using a SPARC machine in part because of this. (The customer in question wanted Apache+Solaris+Postgresql+Python regardless of arch, though.)